PHP is working for a couple of years to ditch mysql_ extension from PHP. See this post: http://news.php.net/php.internals/53799
So if you are like me and have created hundreds of thousands of lines of code in the 'ol mysql_ extention, you might want to rewrite all that stuff before PHP6 comes out. Clever move, PHP. The object orientated folks know it all!
They think that using mysqli or pdo
Forum: News and Links

_Andy, that's fun for some lulz, but no lessons are learned there. Most pentesters will grab it and run it on some level of trust. I always make the distinction between hats (all colors) and pentesters, often pentesters are not versed in these things, since a lot of them are simply sysadmins or someone put in charge with a silly ISC2 / CISSP paper without any real world experiences. That said, mo
Forum: OMG Ponies

@Gareth Heyes
Ah yes, that might be a good consideration as well. Personally I have no clue if his obfuscation is any good, I don't feel very at home at obfuscating stuff, let alone de-obfuscating it, although I do know that it's pretty much all the time pointless to pursuit cloaking JavaScript it from an attackers standpoint. Not to mention the valid argument of yours that it can break all sor
Forum: Obfuscation

If you reason like; As long as I don't understand what I am doing, plus adding some pseudo complexity that might actually weaken it beyond your scope because of the false assumption that more insecure seeding is better than no seeding at all, frankly the answer would be: No.
Forum: Projects

Short answer (since I'm going to bed in a moment) did you try to race the hash? i.e. by getting at least 5 to 10 pairs per seconds and try to find discrepancies? If you can trigger 5-10 requests per second with no difference, but in every Nth second, it could be that they use a UNIX time-stamp, micro-time is somewhat harder to race against, but not impossible. That's what I would do first in such
Forum: Projects

Another scenario is that some scripts allow streaming of files, including PHP files in the form of attachments, you'll notice them with:
download.php?file=blah.zip <- just locate a PHP or any other file.
Forum: SQL and Code Injection

...and he is now part he & more of a she, or almost a she, to make it more complex. I'm like a chameleon right now, I'm all over the place (; anywhocares, my oldest account here is from 10/30/2006 man, can you believe it? almost 4 years slacking here!
Forum: Intro

<Thinking-OutLoud>
I think the ultimate lesson to learn here is simple: Everyone who think that they don't make mistakes, eventually make inevitable mistakes. Maybe that's why peer review is so important in scientific circles? a comforting thought...
</Thinking-OutLoud>
Forum: News and Links

LIVECONNECT - Some research I did couple of years ago, might be useful to share. This is gathered and not everything might work as it contains test cases I wrote, and snippets from other resources which maybe cannot be found elsewhere anymore.
Introduction
LiveConnect is a library that permits JavaScript and Java virtual machines to interoperate. Specifically, it enables JavaScript to access J
Forum: Projects

Interesting Gaz. So only CSS? no JS? and does it needs to work in all browsers? most CSS3 is poorly supported yet (like: move-to for moving content for example), Opera excluded of course.
Forum: OMG Ponies

Playing around with the <keygen> tag a couple of minutes and found this. Later on after I posted it on Bugzilla (546308) I found that Thierry Zoller among others had discovered it already a bit earlier (Bug 469565). Practically the same, though in practice different. On first glance it might look an obvious denial of service, one key point has been omitted in the other bug in my opinion. Ke
Forum: DoS

I've been in graphic design and this is more common than one would want to believe. I've never been on very good terms with Stefan Esser, but this is somewhat notably funny imho.
After visiting sektioneins I stumbled upon a very nice idea:
a PHP security poster, to hang on your wall next to your pinups and playboy foldouts. However, as in code so in print: humans make mistakes.
I instantly
Forum: News and Links

rvdh here to inform you, SAS(ha) is my new account under which I will be posting.
id: I think I got added in in your ip tables, because I had to use a proxy to reach here after signing up and making a dozen queries to mark everything read on this board.
Forum: Intro